Which owner, and permission settings for apache and FTP setup? (Linux)

I have setup a LAMP, and I am confused about which permissions to use. From what I've read it is often mentioned that files on the web server should be owned by www-data:www-data, as that is the account Apache runs on.

So now my current setting for all web server files are:
-rwxrwxr-x www-data : www-data

The account I log in to FTP is called admin, and is a member of the www-data group. (I’ve read that due to security, it is not possible to log in as www-data)

The problem I have is that I often need to delete files, and copy old files (restoring backup) to the web server through FTP. This means that the files I am uploading to the server will be owned by “admin”, and get default permission as “-rw-r- -r- -“. It isn’t very practical to need to run chown / chmod command every time I load something up. And will it matter if the files are being owned by admin, instead of www-data? As long as www-data is the owner group, wouldn’t that be sufficient for Apache?

What is best practice when it comes to this kind of scenario? Is it possible to automatically make the system apply the wanted ownership/permission to every file that is uploaded to the webserver? Or should I use some other permission settings?

andre_stAsked:
Who is Participating?
 
ghodderCommented:
It is fine if the files you are serving with Apache are owned by the 'admin' user. I would recommend they are owned by the 'admin' group as well if you created it, unless you require Apache to be able to modify the files it is serving.

The reason Apache runs as 'www-data' or sometimes 'apache' is so that it's running as an unprivileged user so that in the event that someone discovers a vulnerability, the damage they can cause to your server should be limited.

Having your web files owned by the same user Apache is running as means that an attacker could easily delete those files once they are able to exploit an Apache bug and execute some code.

If Apache runs as a different user to the owner of the files, you just need to chmod 0644 the files and chmod 0755 the directories so that Apache has read access while maintaining write access for your 'admin' user.
0
 
andre_stAuthor Commented:
Thanks for you reply!

Excuse my confusion, but I thought that the apache server needs execution permission for the web content, as it is in php-code. Is it enough to just have 0644 on the files, if apache is not the owner of the files?

Or does 0755 on the directories mean that the apache has permission to execute the files in the folder - even if the files are set to 0644...?
0
 
andre_stAuthor Commented:
ohh, and it's worth mentioning that I am running WordPress. Which means that users can upload different media files to the web server. I assume that requires Apache (www-data) to have write access, and that all uploaded files, will therefore be owned by www-data?
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
mreith80Commented:
First of all I wanted to state one thing,  having the files owned by admin is NOT a good idea under any circumstance.  If an attacker is going to exploit your Web Server better to have him exploit an unprivileged user/group than an 'admin' privileged group.  Any sudo commands, or permissions the admin group is allowed will then pass on to the attacker.  That being, said I know it is annoying but I would not suggest using www-data/www-data.

Additionally, to claify PHP files do not need executable bit set to run, but they do need the execute permission on the directory.

Unfortunately additionally there is no way to retain group ownership to www-data without setting up ACLs.

I hope this helps.

Regards,

Michael

E-Mail: mreith@gmail.com
Blogsite: http://technobloggings.blogspot.com
Twitter:  http://www.twitter.com/therealmreith
YouTube: http://www.youtube.com/technoblob (work in progress, visit back for updates and our premiere!)
0
 
mreith80Commented:
Oops, I meant "That being, said I know it is annoying but I would not suggest using www-data/www-data"  to read, I WOULD SUGGEST, darn annoying small tiny miniscule laptop keyboard!

<facepalm>


Regards,

Michael

E-Mail: mreith@gmail.com
Blogsite: http://technobloggings.blogspot.com
Twitter:  http://www.twitter.com/therealmreith
YouTube: http://www.youtube.com/technoblob (work in progress, visit back for updates and our premiere!)
0
 
andre_stAuthor Commented:
Ok guys! Thanks for your help! I've applied the ownership as www-data:www-data, and directories to 0755 and files to 0644.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.